Merge pull request #676 from cybozu-go/backport-1.26-dnssec

Backport #675 to enable DNSSEC validation

Author: yokaze

docs/k8s.md

@@ -55,6 +55,7 @@ CoreDNS.
 
 For other domain names such as `www.google.com`, node-local DNS cache servers can be
 configured to send queries to upstream DNS servers defined in [cluster.yml](./cluster.md).
+CKE validates the integrity of the replies using DNSSEC validation.
 
 ## Certificates for admission webhooks
 

images.go

@@ -15,7 +15,7 @@ const (
 	ToolsImage           = Image("quay.io/cybozu/cke-tools:1.26.0")
 	PauseImage           = Image("quay.io/cybozu/pause:3.9.0.1")
 	CoreDNSImage         = Image("quay.io/cybozu/coredns:1.10.1.1")
-	UnboundImage         = Image("quay.io/cybozu/unbound:1.17.1.4")
+	UnboundImage         = Image("ghcr.io/cybozu/unbound:1.18.0.2")
 	UnboundExporterImage = Image("quay.io/cybozu/unbound_exporter:0.4.1.5")
 )
 

mtest/kubernetes_test.go

@@ -149,6 +149,20 @@ func testKubernetes() {
 			}
 			return nil
 		}).Should(Succeed())
+
+		Eventually(func() error {
+			stdout, stderr, err := kubectl("get", "service", "-n="+namespace, "httpd", "-o", "jsonpath='{.spec.clusterIP}'")
+			if err != nil {
+				return fmt.Errorf("%v: stderr=%s", err, stderr)
+			}
+			ip := string(stdout)
+
+			_, stderr, err = kubectl("exec", "-n="+namespace, "client", "getent", "hosts", ip)
+			if err != nil {
+				return fmt.Errorf("%v: stderr=%s", err, stderr)
+			}
+			return nil
+		}).Should(Succeed())
 	})
 
 	It("updates unbound config", func() {
@@ -236,7 +250,7 @@ func testKubernetes() {
 			return nil
 		}).Should(Succeed())
 
-		By("querying www.google.com using node DNS from ubuntu pod")
+		By("querying www.cybozu.com using node DNS from ubuntu pod")
 		_, stderr, err = kubectl("run", "-n="+namespace, "--image=quay.io/cybozu/ubuntu:22.04", "--restart=Never",
 			"client", "--", "pause")
 		Expect(err).NotTo(HaveOccurred(), "stderr: %s", stderr)
@@ -245,6 +259,12 @@ func testKubernetes() {
 			return err
 		}).Should(Succeed())
 
+		By("querying www.dnssec-failed.org using node DNS from ubuntu pod")
+		Consistently(func() error {
+			_, _, err := kubectl("exec", "-n="+namespace, "client", "getent", "hosts", "www.dnssec-failed.org")
+			return err
+		}).WithTimeout(time.Second * 5).WithPolling(time.Second * 1).ShouldNot(Succeed())
+
 		By("getting metrics from unbound_exporter")
 		Eventually(func() error {
 			stdout, _, err := kubectl("exec", "-n=kube-system", "daemonset/node-dns", "-c", "unbound", "--", "curl", "-sSf", "http://127.0.0.1:9167/metrics")

op/nodedns/nodedns.go

@@ -69,6 +69,26 @@ server:
   local-zone: "29.172.in-addr.arpa." transparent
   local-zone: "30.172.in-addr.arpa." transparent
   local-zone: "31.172.in-addr.arpa." transparent
+  trust-anchor-file: "/usr/local/unbound/etc/unbound/root.key"
+  domain-insecure: "{{ .Domain }}"
+  domain-insecure: "10.in-addr.arpa."
+  domain-insecure: "168.192.in-addr.arpa."
+  domain-insecure: "16.172.in-addr.arpa."
+  domain-insecure: "17.172.in-addr.arpa."
+  domain-insecure: "18.172.in-addr.arpa."
+  domain-insecure: "19.172.in-addr.arpa."
+  domain-insecure: "20.172.in-addr.arpa."
+  domain-insecure: "21.172.in-addr.arpa."
+  domain-insecure: "22.172.in-addr.arpa."
+  domain-insecure: "23.172.in-addr.arpa."
+  domain-insecure: "24.172.in-addr.arpa."
+  domain-insecure: "25.172.in-addr.arpa."
+  domain-insecure: "26.172.in-addr.arpa."
+  domain-insecure: "27.172.in-addr.arpa."
+  domain-insecure: "28.172.in-addr.arpa."
+  domain-insecure: "29.172.in-addr.arpa."
+  domain-insecure: "30.172.in-addr.arpa."
+  domain-insecure: "31.172.in-addr.arpa."
 remote-control:
   control-enable: yes
   control-interface: {{ if .LocalControl }} /var/run/unbound/unbound.sock {{ else }} 127.0.0.1 {{ end }}